Page tree




In This Document 


Was this document useful? 
Your Rating:
Results:
1 Star2 Star3 Star4 Star5 Star
2 rates


Have a suggestion for the Armor Knowledge Base? Send a message to kb@armor.com.



This topic only applies to Armor Anywhere users.


Overview

In some environments, architectural configurations may prevent Armor services from properly communicating security updates and offering monitoring services. 

If your network environment's servers are behind specific firewall controls that block regular outbound communication, then you may want to perform a port-forwarding server deployment, which will forward traffic between your servers and the Armor API and service endpoints. 

This port-forwarding server sits within your environment to provide servers that do not have outbound network access to communicate with Armor Anywhere services.  

This solution uses IPTABLES to forward service data out from the customer environment and into Armor.


Step 1: Review requirements

To be able to perform a port-forward server deployment, you will need the following resources or information: 

  • Linux server with OS of choice (CentOS recommended)
  • 1vCPU/1GB RAM minimum
  • IPTABLES package installed
  • The installed Anywhere Agent on the server
  • External IP Address
  • Internal access from the port-forwarding server to download the configuration script
  • Host file modifications made on each subsequent Anywhere Agent install

Step 2: Review firewall rules 

Servers with the Anywhere agent

All servers that run the Anywhere agent will need outbound access to the port-forwarding server's IP, with the following ports allowed:

Purpose / Service
Port
Destination
Armor Agent Heartbeat443/tcpYour port-forwarding server IP
Malware Protection, FIM, IDS4119/tcpYour port-forwarding server IP
DSM4120/tcpYour port-forwarding server IP
Relay4122/tcpYour port-forwarding server IP
Log Management (Filebeat / Winlogbeat)515/tcpYour port-forwarding server IP
Monitoring8443/tcpYour port-forwarding server IP
Remote Access443/tcpYour port-forwarding server IP

Vulnerability Scanning

*443/tcp

Your port-forwarding server IP

Vulnerability Scanning

*443/tcp

Your port-forwarding server IP

* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.


Port-Forwarding Server

The port-forwarding server will need outbound access for the following:

The following ports will need to be opened for each server registered with Armor Anywhere.

Inbound / OutboundService / PurposePortDestination
OutboundArmor Agent443/tcp
  • 146.88.106.210  
    • (api.armor.com)
OutboundMalware Protection, FIM, IDS

4119/tcp

  • 146.88.106.197  
    • (1a.epsec.armor.com)
  • 146.88.114.197  
    • (2a.epsec.armor.com)
  • 35.163.135.130
  • 34.214.246.111
  • 52.13.172.208
    • (3a.epsec.armor.com)
OutboundDSM4120/tcp
  • 146.88.106.197
    • (1b.epsec.armor.com)
  • 146.88.114.197
    • (2b.epsec.armor.com)
  • 35.163.135.130
  • 34.214.246.111
  • 52.13.172.208
    • (3a.epsec.armor.com)
OutboundRelay4122/tcp
  • 146.88.106.197
    • (1c.epsec.armor.com)
  • 146.88.114.197
    • (2c.epsec.armor.com)
  • 35.163.135.130
  • 34.214.246.111
  • 52.13.172.208
    • (3a.epsec.armor.com)
OutboundLog Management (Filebeat / Winlogbeat)515/tcp
  • 146.88.106.196  
    • (1a.log.armor.com)
  • 146.88.144.196  
    • (2a.log.armor.com)
OutboundMonitoring8443/tcp
  • 146.88.106.200  
    • (1a.mon.armor.com)
  • 146.88.114.200  
    • (2a.mon.armor.com)
OutboundRemote Access443/tcp
  • 146.88.106.216 
    • (1a.rs.armor.com)
  • 146.88.114.216
    • (alternate)
Outbound

Vulnerability Scanning



*443/tcp
  • 34.226.68.35
  • 54.144.111.231
  • 52.203.25.223
  • 34.236.161.191
    • endpoint.ingress.rapid7.com
    • (United States)

  • 52.60.40.157
  • 52.60.107.153
    • ca.endpoint.ingress.rapid7.com
    • (Canada)

  • 3.120.196.152
  • 3.120.221.108
    • eu.endpoint.ingress.rapid7.com
    • (Europe)

  • 52.64.24.140
  • 13.55.81.47
  • 13.236.168.124
    • au.endpoint.ingress.rapid7.com
    • (Australia)
  • 103.4.8.209
  • 18.182.167.99
    • ap.endpoint.ingress.rapid7.com
    • (Japan/Asia/Asia Pacific)
Outbound

Vulnerability Scanning

*443/tcp
  • s3.amazonaws.com
    • (United States)
  • s3.ca-central-1.amazonaws.com
    • (Canada)
  • s3.eu-central-1.amazonaws.com
    • (Europe)
  • s3.ap-northeast-1.amazonaws.com
    • (Asia / Asia Pacific)
  • s3-ap-southeast-2.amazonaws.com
    • (Australia)
InboundLog Relay (Logstash)
  • 5140/udp
  • 5141/tcp
The IP address for your virtual machine
OutboundLog Relay (Armor's logging service (ELK))
  • 5443/tcp
  • 5400-5600/tcp (Reserved)
    • Armor reserves the right to utilize this port range for future expansion or service changes.

1c.log.armor.com

  • These endpoints are served by the Amazon Elastic Load Balancers. As a result, the actual endpoints will vary dynamically across Amazon's IP ranges.


* The agent will perform a lookup to the applicable DNS entry, which may resolve to one of multiple Amazon Web Services based subnets. As a result, if your firewall does not support outbound filtering by domain name, then you may need to open all outbound traffic to 443/tcp to accommodate this service.

Additionally, verify that your proxy server can externally communicate.


Step 3: Install the port-forwarding server

  1. After the virtual machine has been provisioned and all firewall rules have been created, run the following command to initiate the install. 

    This script will:

    • Determine if the script is running with sudo privileges
    • If not available, install LSB and wget
    • Determine if the installed operating system is CentOS or Ubuntu 
    • Download iptables.conf to correspond to the operating system
    • Backup any existing iptables ruleset to /root/iptables-backup
    • Install and make persistent the download configuration files
    curl -sL https://get.core.armor.com/portforwarding/armor-pfserver-install.sh | sudo bash
    Contents of armor-pfserver-install.sh
    #!/bin/bash
    #This script configures the PF server on Ubuntu 14.04 and CentOS 6
    DISTROS="(Ubuntu|CentOS)"
    function exitError () {
    	if [[ "$errMsg" == "" ]]; then
    		echo ""
    		echo "    scripting fail."
    		echo ""
    		exit 1
    	fi
    	echo ""
    	for i in $(seq 0 $((${#errMsg[*]} - 1))); do
    		echo "    ${errMsg[$i]}"
    	done
    	echo ""
    	exit 1
    }
    function install_lsb () {
      if [[ $(grep -Ei CentOS /etc/centos-release | awk '{print $1}') == CentOS ]] > /dev/null; then
        echo -e "Installing lsb-release..."
        yum install -y redhat-lsb > /dev/null 2>&1
      elif [[ $(grep -Ei ^name= /etc/os-release | sed 's/NAME=\|"//g') == Ubuntu ]] > /dev/null; then
    		echo -e "Installing lsb-release..."
    		apt-get update > /dev/null 2>&1
    		apt-get install -y lsb-release > /dev/null 2>&1
      fi
    }
    function install_wget () {
      if [[ $(grep -Ei CentOS /etc/centos-release | awk '{print $1}') == CentOS ]] > /dev/null; then
        echo -e "Installing wget..."
        yum install -y wget > /dev/null 2>&1
      elif [[ $(grep -Ei ^name= /etc/os-release | sed 's/NAME=\|"//g') == Ubuntu ]] > /dev/null; then
    		echo -e "Installing wget..."
    		apt-get update > /dev/null 2>&1
    		apt-get install -y wget > /dev/null 2>&1
      fi
    }
    function installUbuntu () {
      UNOW=$(date +"%Y-%m-%d-%H-%M")
      echo -e "Downloading firewall rules..."
      sleep 0.5
      wget -O /tmp/ubuntu14-iptables.conf http://get.core.armor.com/portforwarding/ubuntu14-iptables.conf > /dev/null 2>&1
      chmod 600 /tmp/ubuntu14-iptables.conf
      mkdir -p /root/iptables-backup
      echo -e "Backing up firewall rules to /root/iptables-backup..."
      sleep 0.5
      /sbin/iptables-save > /root/iptables-backup/iptables-backup-$UNOW.fw
      /sbin/iptables -t nat -F && \
      /sbin/iptables -F && \
      /sbin/iptables-restore /tmp/ubuntu14-iptables.conf && \
      /sbin/iptables-save > /etc/iptables.rules
      echo -e "Making firewall rules persistent..."
      sleep 0.5
      #enable IP Forwarding
      sed -i '/^#net.ipv4.ip_forward=1/s/^#//g' /etc/sysctl.conf
      sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
      echo "#!/bin/sh" >> /etc/network/if-pre-up.d/iptablesload && \
      echo "iptables-restore < /etc/iptables.rules" >> /etc/network/if-pre-up.d/iptablesload && \
      echo "exit 0" >> /etc/network/if-pre-up.d/iptablesload
      echo "#!/bin/sh" >> /etc/network/if-post-down.d/iptablessave && \
      echo "iptables-save -c > /etc/iptables.rules" >> /etc/network/if-post-down.d/iptablessave && \
      echo "if [ -f /etc/iptables.downrules ]; then" >> /etc/network/if-post-down.d/iptablessave && \
      echo "   iptables-restore < /etc/iptables.downrules" >> /etc/network/if-post-down.d/iptablessave && \
      echo "fi" >> /etc/network/if-post-down.d/iptablessave
      chmod +x /etc/network/if-post-down.d/iptablessave
      chmod +x /etc/network/if-pre-up.d/iptablesload
      echo -e "Removing temporary files..."
      sleep 0.5
      rm /tmp/ubuntu14-iptables.conf
      echo -e "\033[0;32mYou are ready to go!\033[0;37m\n"
    }
    function installCentos () {
      CNOW=$(date +"%Y-%m-%d-%H-%M")
      echo -e "Downloading firewall rules..."
      sleep 0.5
      wget -O /tmp/centos6-iptables.conf http://get.core.armor.com/portforwarding/centos6-iptables.conf > /dev/null 2>&1
      chmod 600 /tmp/centos6-iptables.conf
      mkdir -p /root/iptables-backup
      echo -e "Backing up firewall rules to /root/iptables-backup..."
      sleep 0.5
      /sbin/iptables-save > /root/iptables-backup/iptables-backup-$CNOW.fw
      /sbin/iptables -t nat -F && \
      /sbin/iptables -F && \
      /sbin/iptables-restore /tmp/centos6-iptables.conf
      /sbin/service iptables save > /dev/null 2>&1
      /sbin/chkconfig iptables on
      echo -e "Making firewall rules persistent..."
      #enable IP Forwarding
      sed -i '/^net.ipv4.ip_forward\ =\ 0/s/0/1/g' /etc/sysctl.conf
      sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1
      echo -e "Removing temporary files..."
      rm /tmp/centos6-iptables.conf
      echo -e "\033[0;32mYou are ready to go!\033[0;37m\n"
    }
    #sanity check for root privileges
    if [[ "$UID" != "0" ]]; then
    	errMsg="Root privileges are required before running this script."
    	exitError
    fi
    #checks if lsb_release is installed.
    if ! which lsb_release > /dev/null 2>&1; then
    	errMsg="Installing lsb-release..."
      install_lsb
    fi
    if ! which wget > /dev/null 2>&1; then
      errMsg="Installing wget..."
      install_wget
    fi
    #Check operating system
    DISTRO=$(lsb_release -is)
    if ! echo $DISTRO | grep -Eq $DISTROS ; then
    	errMsg="This operating system is not supported."
    	exitError
    fi
    if [[ $(/usr/bin/lsb_release -is) == "CentOS" ]]; then
      installCentos
    else
      installUbuntu
    fi



  2. Install the Anywhere agent on the port-forwarding server.
  3. On other servers that contain Anywhere services, edit the server's hosts file with the IP address of the port-forwarding server. In the following script, replace IP_OF_PF_SERVER with your port-forwarding server's IP address:

    Example Hosts File Entry
    IP_OF_PF_SERVER	api.armor.com
    IP_OF_PF_SERVER get.core.armor.com
    IP_OF_PF_SERVER	1a.log.armor.com
    IP_OF_PF_SERVER	2a.log.armor.com
    IP_OF_PF_SERVER	1a.mon.armor.com 1b.mon.armor.com 1c.mon.armor.com
    IP_OF_PF_SERVER	2a.mon.armor.com 2b.mon.armor.com 2c.mon.armor.com
    IP_OF_PF_SERVER	1a.epsec.armor.com 1b.epsec.armor.com 1c.epsec.armor.com
    IP_OF_PF_SERVER	2a.epsec.armor.com 2b.epsec.armor.com 2c.epsec.armor.com
  4. On other servers, Install the Anywhere agent, and then verify the installation by reviewing the armor.log file.  

Related documentation

To learn more about how to install the Anywhere agent, see Step 4 in the following documents: